Hi,

Why do you need a different default group?

Does this documentation helps you?  https://confluence.atlassian.com/adminjiraserver073/modify-group-membership-861253187.html 

https://confluence.atlassian.com/adminjiraserver073/manage-group-access-to-applications-861253190.html 

This is actually very frustrating. 

We provision our users via Azure AD.  We can't make this provisioned group default due to it being read-only (since it's synced), and we can't stop users from getting the assigned to the default group. 

So when one of our users gets access to Jira via Azure AD they are added to two groups in atlassian: The provisioned group and the default group.

Which in turn means that when a user is removed from the Azure AD group their account takes up a license and they can still access the product. 

Or does anyone have a work-around for this? 

Well, I also found it inconvenient that all new users are automatically added to the default group (in my case, confluence-users) even if you indicate an explicit group on invite that already covers all the permissions they need. And that this group, by default, gives access to all spaces on my product (Confluence).

To avoid troubles, I do the following:

1. Create one custom group per space (project) and invite users working on that project to this custom group. In project Space Permissions, just add that custom group with the usual permissions to add pages, comments, attachments, etc.

2. For each project in Space Permissions, remove all permissions on the default group (here, confluence-users). Just click on Edit Permissions, Select All, then Deselect All, Save all. The default group will be removed from the group list after that (as only groups with at least one permission are shown). I found no way to set default permissions on new Spaces for that group, so for every new Space, I must remember to do this (together with 1.).

3. Remove every new user invited from default group (confluence-users) manually.

Technically you only need to do 2. (default group has no permissions) or 3. (user is not in default group), but because everything is added automatically, if the user happens to login between the time you invited them, and did either 2 or 3, they will, for a short time, be able to access all your Confluence products. So it's safer to do 2. for each Space anyway, as unlike 3., you can do it once per space, before inviting a user.

I really wish the process was more streamlined (for instance, like GitHub, you would manage access per user or per team, in a very clear manner; Atlassian introduced the concept of teams but it's only used for communication, so we still need groups; which would work fine if not for unexpected default group permissions). And that Atlassian would warn you for every user given permissions to all your spaces. Since I've myself only realized it quite late, I wonder how many teams are currently misconfigured with permission leaks at the moment...